Search code examples
securitycoldfusionauthenticationscheduled-taskscflogin

ColdFusion scheduled tasks - how to secure when using <cflogin>?

I have a web-site written in ColdFusion that contains both the usual interactive web pages and some tasks run through the CF scheduler. The dir layout is

/
/app
/scheduledTasks

I'd like the tasks to be able to use all the same settings, etc. created in the application.cfc inside of /app so I'd like to move that entire /scheduledTasks directory into /app. The problem is that that application.cfc uses the cflogin mechanism and my own log in form. The CF scheduler only lets you supply a username and password for HTTP Basic authentication. The scheduled tasks will never get past that. How can I resolve this or is there a better approach to begin with?

I've wondered about looking at some CGI variable in my application.cfc's OnRequestStart such as the user agent, the remote IP, and/or a magic value in the URL param's and if all are there, bypass security since I "know" it's CF's scheduler on the other end. This isn't great security but it may be acceptable.

I've also wondered about creating a new application.cfc in my root that the application.cfc in /app inherits from. I'd leave the tasks where they are and put a new application.cfc there as well that inherits common stuff from the root. This increases complexity though and I've had issues when trying to access the CFCs inside of /app/cfcs from /scheduledTasks.

Has anyone had a similar problem and solved it?

Solution

  • leave the schedule tasks in their own folder like you currently have it off the root of the site.

    create an application.cfc in the scheduletasks folder that extends the one in the apps directory like so:

    <cfcomponent extends="/.apps/application">

    overload the onrequeststart method and put in your authentication like so:

    <cffunction name="onRequestStart" returntype="void" access="public" output="false">
    <cfargument name="targetPage" type="any" required="true">
    <cfif not structkeyexists(url, "access") or not url.access eq application.ApplicationName>
        <cflocation url="/" addtoken="false">
    </cfif>
</cffunction>

    this is VERY basic security but will get the job done. customize to your liking.